Artifacts

Posts Tagged ‘Tor Vidalia Proxy’


Tor Vidalia Bundle

Posted by:  /  Tags:

Author Name
Matt Nelson
Artifact or Program Version
Vidalia Bundle
Artifact Description
This artifact contains information pertinent to a “default” Tor Vidalia Bundle. The Vidalia Bundle contains Tor, Vidalia, Polipo, and Torbutton. No browser (like Firefox) is included.

Obviously, these artifacts are based on a default full install of the Vidalia Bundle; the user could choose to change some of the features of the install. (like not starting Vidalia at startup, skipping the start menu, or skipping install pieces)


Specific Files:
Tor.exe – executable that handles the creating the “circuit” to the Tor onion network.(vers. 0.2.2.37)
Vidalia – gui controller for Tor. Aids in the configuration of Tor. (without editing config files manually) vers. 0.2.19
Polipo – a tiny caching web proxy. Allows for sending applications through Tor that are not direct SOCKS capable.
Torbutton – a Firefox extension that allows for quickly switching to the Tor browsing. (Firefox must be enabled; Torbutton has been rolled into the TorBrowser)
Additionally, if the user can make configuration changes to Tor by making it a Relay, an Exit Relay, or a Bridge. The user can also server up a Tor Hidden Service that is only available on the Tor network.
Registry Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\DisplayName: “Polipo 1.0.4.1”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Polipo\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\DisplayName: “Tor 0.2.2.37”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tor\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\DisplayName: “Vidalia 0.2.19”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\UninstallString: “”C:\Program Files\Vidalia Bundle\Uninstall.exe””
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vidalia\NoRepair: 0x00000001
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\[username]\Desktop\vidalia-bundle-0.2.2.37-0.2.19.exe: “Vidalia Bundle 0.2.2.37-0.2.19”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe: “Vidalia”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Vidalia: “”C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe””
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Polipo\Install_Dir: “C:\Program Files\Vidalia Bundle”
File Locations
Default install location:
C:\Program Files\Vidalia Bundle
Default Tor location:
C:\Program Files\Vidalia Bundle\Tor\tor.exeDefault location of the Tor configuration file:
C:\Documents and Settings\[username]\Local Settings\Application Data\Vidalia\torrc < (contains the Tor configuration details)Default Polipo location:
C:\Program Files\Vidalia Bundle\Polipo\polipo.exeDefault Polipo config file location:
C:\Program Files\Vidalia Bundle\Polipo\polipo.conf < (contains the Polipo configuration details)Other Key dirs/files:C:\Documents and Settings\[username]\Local Settings\Application Data\Vidalia
geoip-cache
torrc
torrc.orig.1
vidalia.conf
vidalia.pidC:\Documents and Settings\[username]\Local Settings\Application Data\Tor
geoipC:\Program Files\Vidalia Bundle\Vidalia\
cached-certs
cached-consensus
cached-descriptors
cached-descriptors.new
Research Links
https://www.torproject.org/about/overview.html.en
http://www.pps.univ-paris-diderot.fr/~jch/software/polipo/
Forensic Programs of Use
RegShot, WireShark, ProcessHacker
Any Other Information
Network Indicators (local):
polipo.exe – 127.0.0.1, port 8118/TCP, Listening (Polipo proxy port)
tor.exe – 127.0.0.1, port 9050/TCP, Listening (Tor listening SOCKS)
tor.exe- localhost, port 9051/TCP, Listening (control port)
If Tor has completed a “circuit” to the Tor network you will see established connections to various hosts:
tor.exe – chuck-pc.here.xxx, 1144, [111.111.111.1111], 9001, TCP, Established < IP can vary
tor.exe – chuck-pc.here.xxx, 1144, host.somewhere.com, 9001, TCP, Established < remote hostname can vary
As the circuits drop and new ones establish you will see them drop and come online.